PII or Sensitive Personal Information (SPI), in privacy and information security law, refers to information that can be used on its own, or with other information, to identify, contact, or locate a person.
NIST Special Publication 800-122 defines PII as “any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.” NIST also directs that, for the express purpose of distinguishing individual identity, clearly classify a person's full name, home address, email address (if private from an association/club membership, etc.), IP address (when linked, but not PII by itself in US) and telephone number as examples of PII.
Under such a definition, a user's IP address is not PII but can be “linked PII,” a “quasi identifier” or a “pseudo-identifier,” when it is combined with other information and the combination serves to enable identification, contact or location of a person.
The gathering of PII by organizations via Internet use as well as breaches of Internet security, network security and web browser security has become wide spread. That collection, though not always used for criminal activity, can be used for such ends. As a result, various laws and regulations have been placed on gathering and use of such PII in countries around the world.
One of the primary focuses of the Health Insurance Portability and Accountability Act (HIPAA), is to protect a patient's Protected Health Information (PHI), which is similar to PII (or may be theoretically considered to be included in PII). Additionally, various states in the United States have privacy laws regarding protection of PII and/or personal information. Likewise, various other countries have their own versions of privacy and data protection laws including Australia, the European Union and Canada.